configmap 是用來儲存設定檔案的 volume,例如 nginx 的設定檔
secret 是用來儲存機密資料,像是PWD、TLS、Harbor仓库的pwd
兩者都可以以 Volume 或 ENV 的方式傳入 Pod
secret存储的是经过base64加密后的
apiVersion: v1
kind: ConfigMap
metadata:
name: app-demo1
data:
username: "xiaoming"
age: "12"
apiVersion: v1
kind: Pod
metadata:
name: app-demo1
spec:
containers:
- name: demo
image: nginx
env:
- name: USERNAME
valueFrom:
configMapKeyRef:
name: app-demo1
key: username
- name: AGE
valueFrom:
configMapKeyRef:
name: app-demo1
key: age
用的时候就可以进入Pod echo $USERNAME $AGE
apiVersion: v1
kind: ConfigMap
metadata:
name: app-demo2
data:
app.properties: |
username=xiaoming
age=13
apiVersion: v1
kind: Pod
metadata:
name: app-demo2
spec:
containers:
- name: demo
image: nginx
volumeMounts:
- name: app-demo2
mountPath: "/config"
readOnly: true
volumes:
- name: app-demo2
configMap:
name: app-demo2
items:
- key: "app.properties"
path: "app.properties"
这变量就挂载了
echo admin | base64
echo pass | base64
apiVersion: v1
kind: Secret
metadata:
name: app-secret1
type: Opaque
data:
username: YWRtaW4=
pass: MTIzNDU2
apiVersion: v1
kind: Pod
metadata:
name: app-secret1
spec:
containers:
- name: demo
image: nginx
env:
- name: USERNAME
valueFrom:
secretKeyRef:
name: app-secret1
key: username
- name: PASSWORD
valueFrom:
secretKeyRef:
name: app-secret1
key: password
通过读变量就可以读出来,自动解密
apiVersion: v1
kind: Secret
metadata:
name: app-secret2
type: Opaque
data:
username: YWRtaW4=
password: MTIzNDU2
apiVersion: v1
kind: Pod
metadata:
name: app-secret2
spec:
containers:
- name: demo
image: nginx
volumeMounts:
- name: app-secret2
mountPath: "/config"
readOnly: true
volumes:
- name: app-secret2
secret:
secretName: app-secret2
items:
- key: "username"
path: "db.username"
- key: "password"
path: "db.password"
当ConfigMap更新,Pod会自动更新(滚动更新)